Microsoft’s patch on November 8th, 2022, brought about unforeseen challenges, causing multiple Kerberos sign-in and authentication errors for users, particularly on Windows Domain Controllers. This blog outlines some of the issues triggered by the patch, identifies the error in question, details the resolution provided by Microsoft, and offers insights for Windows Server 2003 environments.

Issues Caused by the Patch

The patch installation on Windows Domain Controllers resulted in various complications, such as:

  1. Domain user sign-in failures, impacting Active Directory Federation Services (AD FS) authentication.
  2. Group Managed Service Accounts (gMSA) failures for services like Internet Information Services (IIS Web Server).
  3. Remote Desktop connection issues for domain users.
  4. Inability to access shared folders on workstations and file shares on servers.
  5. Authentication failures for domain user-dependent printing.

Affected Platforms

Both server and client platforms experienced these issues, affecting a range of operating systems, including Windows 7 SP1, Windows 8.1, Windows 10, Windows Server 2003, and the latest release, Windows Server 2022.

Identifying the Kerberos Sign-In & Authentication Error

The error manifests in the System Event Log for the Domain Controller computer, specifically through Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14. The unique signature in the event message text highlights the absence of a suitable key for generating a Kerberos ticket.

Resolving the Issue

Microsoft responded promptly with an optional out-of-band update released on November 17th, 2022. This fix, available through the Microsoft Update Catalog, alleviates the issue without necessitating updates or changes to other servers or client devices. Microsoft advises removing any workarounds or mitigation efforts implemented during the problem.

Windows Server 2003 Environments

Microsoft does not currently provide an update for Windows Server 2003 environments, aligning with their commitment to security hardening. While a workaround exists, enabling SMBv1 poses significant security risks. Microsoft strongly recommends migrating applications off Windows 2003 servers and avoiding the SMBv1 workaround due to its outdated and unsafe nature.

A Solution for Windows 2003 Server Environments

The optimal approach for Windows 2003 Server environments is migrating applications to a modern, supported environment. VirtaMove has successfully assisted numerous organizations in resolving this challenge without compromising security or disrupting business operations.

For help navigating this issue, please contact us to see how VirtaMove can help.